QuoteReplyTopic: Using the new SMTP feature Posted: 01 September 2006 at 4:44pm

kspare wrote:

Roberto, I'm trying to get this working. I'm testing it on a server with a completly base spamfilter config. I have ldap sucessfully working, however when I try to send an email it doesn't even attempt to authenticate. How do you turn off anonymous email?

You can't turn off anonymous emails, otherwise SpamFilter will not be able to receive emails from the internet, as mail servers "talk" regular anonymous SMTP. If a client supports SMTP authentication, and it's enabled, the client will make a EHLO request to the server (SpamFilter). The server will respond with a welcome banner, indicating in it that it supports AUTH LOGIN (smtp authentication). The client should see that, and thus attempt to use authentication:

It is up to the client to send the auth commands. You could try to use SpamFilter's debug tab to capture the traffic to/from the client to see what is going on.

kspare wrote:

I also found that if you use active directory
authentication the client has to put the domainname infront of their
username. Whats the point of telling spamfilter the domain as well? Why
can't you just use the username for ad auth like you can for ldap
auth?

SpamFilter needs to know the domain name for Active Directory so it can
locate your Domain Controllers to authenticate. As with Active
Directory you could have child domains, and trusts with other domains,
a fully qualified username (domain\user or user@domain) is required to
uniquely identify the user.

I also found that if you use active directory authentication the client has to put the domainname infront of their username. Whats the point of telling spamfilter the domain as well? Why can't you just use the username for ad auth like you can for ldap auth?

Roberto, I'm trying to get this working. I'm testing it on a server with a completly base spamfilter config. I have ldap sucessfully working, however when I try to send an email it doesn't even attempt to authenticate. How do you turn off anonymous email?

It's as simple as 1. copying/installing SpamFilter in a new different directory.2. Rename the first SpamFilter NT service, so it won't be overwritten by the new service.3. Start the new SpamFilter in stand-alone mode (using SpamFilter.exe), and configure it to use a different IP or port4. Click on the "Create Service" button.

that is exactly what i'm suggesting.. and Roberto won't mind at all since the license is 'per server', I even 'heard' him say so himself in here some time ago :)

You will need (if you think you need it) a different database, and setup SF2 so that it listens on a different IP/port, and install it in a directory with a different name, as far as i know that is all it takes.

There have been discussions about running SF twice on the same box in this forum, better look them up for more details, i never had a need for dual sf, but i know it is doable, and fairly easy for that matter also.

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

maybe you should run a second instance of SF, on a port other than 25, and make thise second instace treat your 'incoming' mail (from this customer) as usual for incoming mails from internet.... when the mails from this source is found O.K. relay it to your primary SF and use its SMTP feature.

any internal spammers should be picked up by this second instance (uses all the regular sf features, except some IP based ones) before they are sent to the outside world. If you set it up correctly you should be able to identify the offending internal ip from the 2nd instance's logs/QDB/FROM mail addy.

Setup your firewall so that no outside IP can send mails directly to this second instance ofcourse.

If i got this right in my head i think you should be able to filter all your 'internal' customers by making them use this internal spamfilter.

Just a suggestion, maybe i got it all wrong here and am talking rubbish (that wouldn't be a first)

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

I presume that most of the spam detection relates to where the email origionates from, rather than the content of the email. Therefore what would be the best way to detect spam comming from an internal source?? (my client would effectively be an internal source if he relayed through me).?

If you whitelist your customer, then they will indeed be able to send any kind of emails (except viruses, those are always blocked if you have the A/V plugin). If they send spam, and it's ultimately sent and relayed by your server, yes, you do risk being blocked.

If you do not whitelist the customer, you do risk blocking legitimate emails, and could anger them. To alleviate this risk, there is an option in the SpamFilter.ini file:

;Add any IPs (separated by commas - no wildcards) that you do not wish to be automatically added to the Honeypot IP blacklist or the IP Blacklist CacheDoNotAddIPToHoneypot=

Adding your customer's IP to that key will prevent them from being permanently blocked by SpamFilter. The blocks will be made on individual emails. That *may* limit the amount of spam they send. Furthermore, as the SFDB filter only reports spammers that are in the local IP Blacklist Cache, you do not risk uploading their IP to the SFDB.

I have a client who I filter mail for, then send the ham to his email server. - working fine.

However, one of their laptop users came into their office last week, and sent 30,000 emails !!!! Obviously, after a short time their IP was blacklisted and it took us ages to find which laptop it was to isolate (they have over 1200 users).

What I want to do is make their server send all of their outgoing mail through me.

BUT.... as I see it, the majority of the spam tests will be useless (i.e. as their IP will be in my IP Whitelist). Also, if any spam were to get through, would this end up blacklisting my IP, not theirs ????

How can I get them to send mail through me and bock any spam that may come from their site unintentially ?

...well, the same answer above would apply to you.In SpamFilter, you can either add an IP whitelist for the customers, if the IP ranges they use are known.

If not, you could use SMTP Authentication, which is a configuration-setting available in most email clients. To authenticate users, SpamFilter can use Active Directory, an LDAP server, or Unix-style password files (like the ones sendmail would use for example).

Prior to v3.1, the only way to allow users to use SpamFilter as their "outgoing smtp server" is to add the IP ranges of the users in an IP whitelist. This was practical for companies where the users were within their internal network, so the IP range to whitelist was well defined. In an ISP scenario, where users are often connecting to the mail server from the internet, this could create difficulties in managing the IP ranges.

Starting with SpamFilter 3.1, we added support for SMTP auth (including SSL encryption). Active Directory, LDAP, and Unix-style password files can be used to authenticate senders. If a sender is authenticated successfully, they will be whitelisted and allowed to relay. The autnetication can be configured under the "Settings - User Authentication" tab in SpamFilter.

In regards to the last question, SpamFilter can only listen on one port for SMTP traffic, and on a different port for SSL traffic. If you enable the SSL port (the default is port 465), you could have the users who you wish to authenticate for outgoing SMTP traffic use the SSL port. SpamFilter comes with a default generic SSL certificate. Most email clients will display a warning to users as the certificate name won't match the name of your server. If you wish to use your own certificate, in the help file readme.html you will find details on how to export your SSL certificate into SpamFilter.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot delete your posts in this forumYou cannot edit your posts in this forumYou cannot create polls in this forumYou cannot vote in polls in this forum